A Strategy for Addressing Cyber Security Challenges

1. A Strategy for Addressing Cyber Security Challenges Mustaque Ahamad Professor of Computer Science, Georgia Ins>tute of Technology Global Professor of Engineering, New York University Abu Dhabi Co-‐founder and Chief Scien>st, Pindrop Security

2. A Couple of Observa>ons •  Cyber security has become an extremely important problem for people, businesses and governments. •  Addressing cyber security challenges presents serious challenges. •  Cyber now reaches into cri>cal physical systems. •  Cyber security is going to be a journey, not a des>na>on.

3. Are Things Really Bad? •  Growing sophis>ca>on of the threat landscape –  Cyber criminals, hack>vits, terrorists and na>on-‐states –  Cyber crime costs are reaching half a trillion dollars (In India, 0.21% of GDP, McAfee 2014 Report) –  Greatest transfer of wealth (Keith Alexander, hXp://foreignpolicy.com/2012/07/09/nsa-‐chief-‐cybercrime-‐cons>tutes-‐the-‐greatest-‐transfer-‐of-‐wealth-‐in-‐history/ ) •  Complex technology ecosystem –  “Reﬂec>ons on trus>ng trust” •  People, processes and coordina>on across mul>ple stakeholders

4. Threats + Vulnerabili>es => AXacks •  Can we make threats go away? •  AXribu>on is extremely difficult •  Global and transna>onal •  How can we address vulnerabili>es? •  Security errors in sofware (over 1700 entries in NVD in last 3 months) •  Asymmetry – aXackers only need to find one bug, we need to fix all •  People are weak links •  Only higher assurance, no perfect security –  Stronger preven>on and early detec>on –  Faster recovery and remedia>on

5. So, What Can We Do? •  Educa>on – Developing the “security mindset” – Undergraduate and graduate programs •  Research – Rapidly evolving ﬁeld •  Policy, legal and regula>on – It is much more than technology

6. Educa>ng Cyber Security Professionals •  US Na>onal Ini>a>ve for Cybersecurity Educa>on (NICE) hXp://csrc.nist.gov/nice/framework/

7. Capacity Building for Educa>ng Cyber Security Professionals •  What do we do? –  Undergraduate or graduate programs? –  Integra>ng security concepts in CS curriculum? –  Voca>onal programs? •  How do we do it? –  So, where do we ﬁnd cyber security faculty? –  Developing hands on projects and laboratories •  US Response –  Centers of Excellence Program (NSA/DHS) –  Scholarship-‐for-‐Service (SFS) Program) –  NSF SaTC Educa>on Projects •  Curriculum development, sharing, workshops etc.

8. Research Capacity Building •  Evolving threat landscape and rapidly changing technologies – Gelng ahead of emerging threats – “Test and verify” rather than “trust but verify” •  Diverse set of research challenges – Trustworthiness of technology to human dimension •  Real-‐world impact of research – Tech transfer and commercializa>on

9. Example I: Malware Analysis •  Scalable malware analysis system processes approximately 250K samples a day •  Extrac>ng features from communica>on paXerns •  Big data due to deep packet analysis and event volume •  Machine learning for aXribu>on •  Visualiza>on and ac>onable intelligence Mariposa Botnet Tracking and Takedown

10. Example II: Data-‐Driven Cyber Risk •  Collect cyber risk relevant data from mul>ple sources – Vulnerabili>es – Exploit kits and malware – AXack data (public and private) •  Analy>cs and visualiza>on – Lean back and lean forward Calendar view of reported vulnerabili>es

11. Na>onal R&D Strategy: US Example •  Na>onal Science Founda>on Secure and Trustworthy (SaTC) –  Launched afer developing a na>onal strategy ( hXps://www.whitehouse.gov/sites/default/ﬁles/microsites/ostp/fed_cybersecurity_rd_strategic_plan_2011.pdf) –  Interdisciplinary including behavioral and economic aspects •  DHS, DARPA and NSA Ini>a>ves –  Cri>cal infrastructure security (CPS) –  Resilient and transparent compu>ng –  Science of security •  Networking and Informa>on Technology Research and Development (NITRD) Program –  Coordinated across mul>ple agencies –  High level goal is to maintain US technological leadership in this ﬁeld

12. Cyber Security Policy •  Policy development is as important as best technical safeguards •  Should companies and government agencies required to prac>ce certain level of cyber hygiene? •  Informa>on sharing and coordina>on •  Privacy •  Legal and enforcement issues

13. Lessons Learned •  Educa>on capacity building – Aggressively support centers like CERC IIIT Delhi – CS curriculum needs to be augmented with cyber security oﬀerings at all levels – “Educa>ng the educators” – summer schools, workshops and hosted programs – What do we do about faculty? •  Incen>ves for CS faculty members to shif/expand their research into cyber security •  Be crea>ve (professor of prac>ce, global professor etc.)

14. Lessons Learned Contd. •  Research capacity building –  You cannot be a major player without a strong research base •  How many papers at security conferences from India? –  Launch/seed a few ambi>ous (and high risk) research projects like NSF’s fron>ers –  Start/get security conferences to India to grow the community –  Applied research exper>se •  Cannot only rely on security vendor professionals for crisis handling •  CDC for cyber, CERT 2.0? –  Coordina>on across Na>onal Labs, DRDO?? –  Home grown cyber security companies??

15. Lessons Learned Contd. •  Cyber security is much more than technology – Policy, regulatory and legal dimensions – Cyber security maturity model and best prac>ces – Preparedness assessment – Conversa>ons at the highest level (WEF ini>a>ve) – Informa>on sharing, coordina>on and mutual aid – Informal trust networks

16. Conclusions •  Cyber risk ranks among the top global risks (2015 WEF Global risks report) •  Na>onal response is of cri>cal importance •  Need to move at “network speed” •  It is all about capacity building •  Ignore research at your own peril

A Strategy for Addressing Cyber Security Challenges

Cybersecurity Education and Research Centre

A Strategy for Addressing Cyber Security Challenges